DCTF 2015 - Web Challenges

by
Filippo "fcremo" Cremonese, Alessandro "cube" De Vito
on October 11, 2015
under DCTF2015

2 minute read ·

Web100

This challenge was quite straightforward: we only had a textual input field and the suggestion to use the coupon (DCTF_ADD_MONEY).
That coupon could normally be used just a single time, but the goal was to get more money than a single coupon would give you.

Web200

We had a service that allowed you to upload zip files, decompressed them and let you download the contents. There was a comment in the HTML source: getent passwd | grep someuser | cut ... (sorry, I haven’t saved the specific command).
I created a zip file containing a simbolic link to /etc/passwd:

$ ln -s /etc/passwd mylink
$ zip archive.zip mylink

I uploaded the archive and… nothing, the website didn’t display my file.
The service allowed you to see the debug logs of the unzip command executed server side and in the logs I could see my link was being extracted correctly, so I tried to manually download the passwd file manipulating the download url of another archive I uploaded earlier and it worked!

Web400 (CSS Engineer)

The php code that allowed you to get the user images used cat

$ curl "http://10.13.37.5/?id=2&usr=1"
cat: images/2_6.jpg: No such file or directory

and was vulnerable to command injection.
because it constructed the path to output from user input without sanitizing it correctly.